cloud computing in healthcare: mitigating privacy risks...
TRANSCRIPT
Cloud Computing in Healthcare: Mitigating
Privacy Risks and Negotiating Business
Associate Agreements Navigating HIPAA, HITECH, State Law and International Jurisdiction Challenges
Today’s faculty features:
1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific
The audio portion of the conference may be accessed via the telephone or by using your computer's
speakers. Please refer to the instructions emailed to registrants for additional information. If you
have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.
WEDNESDAY, JUNE 11, 2014
Presenting a live 90-minute webinar with interactive Q&A
Joshua Carlson, Principal, Joshua Carlson, P.A., Minneapolis
Patrick X. Fowler, Partner, Snell & Wilmer, Phoenix
Richard L. Green, Partner, McCarter & English, Hartford, Conn.
Sound Quality
If you are listening via your computer speakers, please note that the quality
of your sound will vary depending on the speed and quality of your internet
connection.
If the sound quality is not satisfactory, you may listen via the phone: dial
1-888-601-3873 and enter your PIN when prompted. Otherwise, please
send us a chat or e-mail [email protected] immediately so we can address
the problem.
If you dialed in and have any difficulties during the call, press *0 for assistance.
Viewing Quality
To maximize your screen, press the F11 key on your keyboard. To exit full screen,
press the F11 key again.
FOR LIVE EVENT ONLY
For CLE purposes, please let us know how many people are listening at your
location by completing each of the following steps:
• In the chat box, type (1) your company name and (2) the number of
attendees at your location
• Click the word balloon button to send
FOR LIVE EVENT ONLY
Cloud Computing in Healthcare: Mitigating Privacy Risks and Negotiating Business Associate Agreements
Joshua Carlson Esq. CIPP/G, CISSP, PCI-ISA Joshua Carlson P.A. 800 Washington Avenue North, Ste. 704 Minneapolis, MN, 55401
CIPP /G – Governmental Privacy Programs CISSP – Information Security Programs PCI-ISA – PCI Payment Card Industry Security Assessor Member - American Health Lawyers Association Vice Chair: Minnesota State Bar Computer Technology Law Section Co-Chair: Data Privacy Subcommittee Minnesota State Bar Computer Technology Law Section
Mr. Carlson practices nationally in the area of privacy law, cyber security, cloud security, computer and technology law, data security and HIPAA compliance.
Data Privacy & Compliance - TheCarlsonFirm.Com
Intended Audience
Healthcare Lawyers
In-house & Outside Counsel
Compliance Attorneys
Plaintiff & Defense Counsel
Boards and Organizational Leadership
Data Privacy & Compliance - TheCarlsonFirm.Com
5
Legal Framework HIPAA & States
Data Privacy & Compliance - TheCarlsonFirm.Com
47 states have their own data breach and data breach notification requirements, few states are the same, all require specific adherence. HIPAA Final Omnibus Rule has increased required compliance, increased monetary fine capabilities and created full downstream liability for violations. Managing these risks of compliance is possible, and counsel must be involved in projects involving ePHI , new vendors, cloud service providers and risk assessments.
6
Legal Framework HIPAA & States
Data Privacy & Compliance - TheCarlsonFirm.Com
One Common Element of All States and HIPAA related to Liability Among the 47 different state data protection and data notification laws, and HIPAA one things is common to them all: Data encryption allows for a safe harbor related to many aspects of data incidents analysis, data incident reporting and actual data disclosure for all states and HIPAA. Encryption of sensitive data to and from -and in- the Cloud can greatly reduce potential risks when it comes to a data incident.
7
HIPAA Background
Data Privacy & Compliance - TheCarlsonFirm.Com
1996 Health Insurance Portability and Accountability Act (HIPAA) 2009 Health Information Technology for Economic and Clinical Health Act (HITECH Act) 2012 Omnibus “Final Rule” Made significant updates in requirements and scope for HIPAA Privacy, Security, Enforcement, as well as Breach Notification Rules under the HITECH Act. This went into effect in September 2013.
8
HIPAA Background
Data Privacy & Compliance - TheCarlsonFirm.Com
HIPAA Omnibus allows for an increase in and stepped up enforcement for firms which show –Willful Neglect e.g., not performing a risk analysis on an organizations ePHI HITECH made BAs subject to Security Rule and certain Privacy Rule provisions Breach analysis changed: Is now a presumption of a disclosure. Standard of review changed from "harm standard" to requirement for proper risk assessment which shows it was not a disclosure.
9
Cloud services adoption is growing at a compound annual growth rate of over 40% - 50% per year, and is increasing momentum. On premise IT growth is estimated between 5-8% and is declining. If your entity is not in the cloud now, plan that it will be, and it probably already unknowingly is. If your entity is in the cloud now, it is critical you manage that contract and BAA service to avoid costly and public mistakes. Get involved and get ahead of current and future cloud use of your entity. image via CloudProviderUSA.com
Cloud
Data Privacy & Compliance - TheCarlsonFirm.Com
10
Cloud Computing Models
Cloud Computing: Service Models
1. Infrastructure-as-a-Service (“IaaS”) 2. Platform-as-a-Service (“PaaS”) 3. Software-as-a-Service (“SaaS”) * Noting there are many iterations and naming of this, with hybrids of each.
Data Privacy & Compliance - TheCarlsonFirm.Com
11
Cloud Computing Models
Cloud Computing: Service Models
1. Infrastructure-as-a-Service (“IaaS”) Most user/consumer control and most responsibility for entities for managing and securing the system, OS, Apps, Logging, Licensing etc. 2. Platform-as-a-Service (“PaaS”) More provider control and less consumer control, some shifting of responsibility from user to provider.
Data Privacy & Compliance - TheCarlsonFirm.Com
13
Cloud Computing Models
Cloud Computing: Service Models
3. Software-as-a-Service (“SaaS”) Most provider control and responsibility. Providers provide the platform and services, and perform software development and sell it as a subscription service. Least responsibility upon the entity or consumer.
Data Privacy & Compliance - TheCarlsonFirm.Com
14
Cloud Services & Business Associates
Business Associate Defined: On behalf of a covered entity, any entity that: Creates, receives, maintains, or transmits protected health information. Subcontractor Defined: Explicitly in scope, entities which a business associate has delegated a function or service to perform on behalf of the business associate. Cloud service providers are specifically included in scope with added definition language.
Data Privacy & Compliance - TheCarlsonFirm.Com
15
Cloud Services & Business Associates
Cloud services included in added definition language: "A data storage company that has access to protected health information (whether digital or hard copy) qualifies as a business associate, even if the entity does not view the information or only does so on a random or infrequent basis." Omnibus HIPAA Final Rule. Cloud service providers are in scope as business associates and must sign a BAA, if they won't sign a BAA then don't use that Cloud service provider.
Data Privacy & Compliance - TheCarlsonFirm.Com
16
Cloud & Business Associates
Subcontractors + ePHI are now Business Associates and Business Associates must follow the security rule BAs are subject to Security Rule and certain Privacy Rule provisions Must have proper contracts in place with subcontracted entities, e.g., Cloud Service providers all the way down the chain of data (more on that shortly) Security Rule requires Risk Analysis Data Privacy & Compliance - TheCarlsonFirm.Com
17
Cloud & Business Associates
Liability when: Impermissible uses and disclosures Failure to comply with the applicable requirements of the Security Rule Failure to provide e-copy of ePHI as specified in the business associate contract Failure to disclose PHI to HHS for HIPAA investigation
Data Privacy & Compliance - TheCarlsonFirm.Com
18
Legal considerations under HIPAA, HITECH and state privacy laws
HIPAA Omnibus Regulations are in full force Record fines are being assessed for HIPAA security rule violations – many involve "inadvertent cloud use, inadvertent cloud access or cloud transmission of e-PHI" Performing a proper risk analysis is a must, not doing so may put an entity into willful neglect Entities must perform a risk analysis on systems that store, process or transmit ePHI, including cloud
Data Privacy & Compliance - TheCarlsonFirm.Com
19
Legal considerations under HIPAA OCR identified risk areas
What has the Office For Civil Rights (OCR) Identified as initial key areas of risk?
Data Privacy & Compliance - TheCarlsonFirm.Com
20
Legal considerations under HIPAA, HITECH and state privacy laws
Cloud providers need to sign a BAA and be managed and under contract Avoid cloud subcontractors that won't sign a BAA Know where your cloud provider is, and if they use other subcontracted entities Lack of awareness, knowledge or understanding of where an entities data is and goes is not a defense
Data Privacy & Compliance - TheCarlsonFirm.Com
24
Legal considerations for violations of HIPAA
Patient and entity lawsuits related to unlawful disclosures Governmental civil monetary penalty (CMP) may be imposed Governmental signed resolution agreement may be required
Data Privacy & Compliance - TheCarlsonFirm.Com
25
Legal considerations for violations of HIPAA
Resolution agreements may require added scrutiny for a set number of years, e.g., 3 years added monitoring. Resolution agreements may have corrective action plan (CAP) provisions required of the entity.
Data Privacy & Compliance - TheCarlsonFirm.Com
26
Recent HIPAA Rulings
Reported by OCR May 2014 Data breach results in $4.8 million HIPAA settlements Two health care organizations have agreed to settle charges that they potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to secure thousands of patients’ electronic protected health information (ePHI) held on their network. The monetary payments of $4,800,000 include the largest HIPAA settlement to date.
Data Privacy & Compliance - TheCarlsonFirm.Com
27
Recent HIPAA Rulings
May 2014 NYP has paid OCR a monetary settlement of $3,300,000 and CU $1,500,000, with both entities agreeing to a substantive corrective action plan, which includes undertaking a risk analysis, developing a risk management plan, revising policies and procedures, training staff, and providing progress reports. Data Privacy & Compliance - TheCarlsonFirm.Com
28
HIPAA Legal Considerations: Cloud / Decrees Guidance HHS’ investigation indicated that the following conduct occurred (“Covered Conduct”): a. NYP impermissibly disclosed the ePHI of 6,800 patients to Google and other Internet search engines when a computer server that had access to NYP ePHI information systems was errantly reconfigured. b. NYP failed to conduct an accurate and thorough risk analysis that incorporates all IT equipment, applications, and data systems utilizing ePHI.
Data Privacy & Compliance - TheCarlsonFirm.Com
29
HIPAA Legal Considerations: Real World c. NYP failed to implement processes for assessing and monitoring all IT equipment, applications, and data systems that were linked to NYP patient data bases prior to the breach incident, and failed to implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI to a reasonable and appropriate level. d. NYP failed to implement appropriate policies and procedures for authorizing access to its NYP patient data bases, and it failed to comply with its own policies on information access management.
Data Privacy & Compliance - TheCarlsonFirm.Com
30
HIPAA Legal Considerations: Corrective Action Plan (CAP) A. Modify Existing Risk Analysis Process B. Develop and Implement a Risk Management Plan C. Review and Revise Policies and Procedures on
Information Access Management D. Review and Revise Policies and Procedures on Device
and Media Controls E. Implement Process for Evaluating Environmental and
Operational Changes F. Develop an Enhanced Privacy and Security Awareness
Training Program
Data Privacy & Compliance - TheCarlsonFirm.Com
31
8 Practical Legal Mitigation Strategies
1. Perform a Risk Analysis and include any interaction in or with the Cloud providers
2. Find all your PHI/Map/Flow PHI movement within your organization, as well as flows to/from third parties 3. Have an accurate map of where your ePHI data
flows from beginning to end and in-between 4. Have an accurate list of all vendors and
subcontractors that are involved in ePHI and maintain proper vendor management
Data Privacy & Compliance - TheCarlsonFirm.Com
32
8 Practical Legal Mitigation Strategies
5. Conduct a robust review & assessment of where ePHI is, and encrypt it wherever possible 6. Have and enforce a Cloud policy 7. Don't get stuck with a mystery cloud where no one (or 1 person) knows how the Cloud really works 8. Strategize and learn how to use and negotiate the
contracts, master service agreements, service level agreements, business associate agreements involved
Data Privacy & Compliance - TheCarlsonFirm.Com
33
Joshua Carlson Esq. CIPP/G, CISSP, PCI-ISA [email protected] Joshua Carlson P.A. 800 Washington Avenue North, Ste. 704 Minneapolis, MN, 55401
BOSTON // HARTFORD // NEW YORK // NEWARK // PHILADELPHIA // STAMFORD // WASHINGTON, DC // WILMINGTON
Cloud Computing in Healthcare: Contracting to Protect Your Data
Presented by:
Rich Green, Partner
June 11, 2014
What we’ll cover:
• What is the Cloud?
• Reality check: When the “Cloud” isn’t.
• A few good clauses go a long way…
36
• Where’s your data?
• Who’s accessing it?
• What are they doing
with it?
• When will it be available?
• What if there’s a disaster?
• Who will be responsible for
a security incident?
“[W]e’ve redefined cloud computing to include everything
that we already do [. . .] I can’t think of anything that isn’t
cloud computing. [. . .] I mean it is the stupidest [thing].
“‘Oh, I am going to access data on a server on the Internet.’
That is cloud computing? Maybe I’m an idiot, but I have no
idea what anyone is talking about. [. . .] It’s complete
gibberish. It’s insane.”
Larry Ellison
CEO of Oracle Corp.
September 2009
What is the Cloud
38
“By implementing hybrid/
cloud computing, [survey]
respondents hoped to achieve
improved provisioning time,
data center scalability and data
center security. The gap
between expectations and
reality, however, was
[substantial].”
Evolution to the Cloud Survey at page 10
conducted by Symantec Corp., 2011
What is the Cloud
39
Reality check
On Prem
• installed on
your server
• at your facility
• license fee
separate from
maint/support
fee
• substantial
implementation
40
Hosted
• installed on your
or vendor server
• at vendor facility
• hosting fee
added
• hosting
environment set
up needed in
addition to
implementation
X-a-a-S
• vendor’s server
• vendor’s facility
• single fee
• minimal set up
a few good clauses
Scaling Contracts to Risk
42
low risk
(e.g., Medacist)
moderate risk
(e.g, TriZetto)
high risk (e.g., PBMs/ASOs, EHR’s)
a few good clauses
Where’s Your Data?
• On-shore or off?
• Facilities Quality?
• Change of location?
43
a few good clauses
Where’s Your Data?
On-shore or off?
In no event, whether by itself or through any otherwise
approved Third Party Supplier, shall Supplier perform
Services outside the continental United States or its
commonwealths, territories and possessions (including
indirectly via remote network access) without the prior
written consent of Customer in each instance.
44
a few good clauses
Where’s Your Data?
Facilities Quality?
Facility Standards. Supplier will use only data center facilities located in the United States which, in
all cases, meet, at least at the facilities level, the Recognized Facility Standards in each of the financial
controls, security and infrastructure and operations categories, as defined below (“Approved
Facility”). As used herein, “Recognized Facility Standards” means any of the following within each
category:
for financial controls, the SSAE 16 standard (and any successor thereto) promulgated
by the American Institute of Certified Public Accountants;
for security, the AT 101 standards (and any successor thereto) promulgated by the
American Institute of Certified Public Accountants, the 27000 series standards
promulgated by the International Standards Organization (and any successor thereto)
for infrastructure and operations the TIA-942/Tier III classification promulgated by the
Uptime Institute and the Telecommunications Industry Association (and any successor
thereto).
45
a few good clauses
Where’s Your Data?
Change of Location?
Migration. Supplier shall provide reasonable advance notice of any change in any Approved Facility
location with reasonable assurances that the new data center meets the requirements hereunder.
Supplier shall perform, at no additional charge (for either fees or expenses), all such services as are
necessary to complete the orderly transition of the applicable services and data to the new facilities
(the “Migration Services”). The Migration Services shall be performed in accordance with a plan and
on a schedule approved by Customer, which approval shall not be unreasonably withheld, delayed or
conditioned. There shall be no suspension or change in any service levels during the Migration
Services unless otherwise agreed in writing by the parties and a discount or waiver of fees is provided
to Customer in an amount reasonably proportionate to the period of suspension or magnitude of
change.
46
a few good clauses
Who’s Accessing Your Data?
• Vendor Personnel
• Subcontractors
• Third Parties
• HIPPA – BA Issues
47
a few good clauses
Who’s Accessing Your Data?
Vendor Personnel All Supplier Personnel shall be screened: (a) for convictions of felonies and financial-
related crimes committed during the last seven years; (b) to verify they are not subject to
or included on, or otherwise prohibited or debarred under the Lists of Excluded
Individuals/Entities maintained by the Office of the Inspector General of the U.S. Health
and Human Services Agency; and/or the regulations administered by the Office of
Foreign Assets Control of the United States Department of the Treasury through the
General Services Administration’s Federal Acquisition Regulation compliance program;
and (c) for compliance with immigration laws. Without limiting the screening required
above, Supplier Personnel having direct access to Customer Data shall be screened for:
(i) verification of Social Security Number; (ii) seven-year county of residence criminal
conviction (CORI) search; (iii) minimum 5 panel drug screen; (iv) five-year work history;
and (v) fingerprinting with the search sent to and conducted by the Department of
Justice/FBI; and (vi) education and professional licenses, if applicable. Supplier
personnel failing any such screening shall not be assigned to perform Services or shall
be removed upon notice to the applicable Customer if discovered after the
commencement of performance.
48
a few good clauses
Who’s Accessing Your Data?
Subcontractors Supplier shall not, without the prior written consent of Customer, provide the
Services through any third party including any Affiliates of Supplier (each a
“Third Party Supplier”). If a Customer approves Supplier’s use of a Third
Party Supplier: (a) Supplier shall be the prime contractor to the applicable
Customer with respect to such Third Party Supplier and shall assume full
responsibility and liability for the Services and performance of the Third Party
Supplier; and (b) prior to disclosing any of Customer’s or its Affiliates’
Confidential Information or performance of Services by such Third Party
Supplier, Supplier shall have or enter into a written agreement with the Third
Party Supplier expressly binding such Third Party Supplier to the confidentiality
and data security provisions of this Agreement and such terms shall govern the
Third Party Supplier irrespective of any contrary term or condition that may be
contained in a separate agreement between Supplier and any Third Party
Supplier. Supplier shall provide the applicable Customer with written evidence
in a form reasonably acceptable to the Customer of compliance with the
foregoing.
49
a few good clauses
Who’s Accessing Your Data?
Non-Subcontractor Third Parties
Facilities Standards – AT101 and ISO 2700x
• dual-factor access control (with at least one biometric factor) at
principal facility access points
• single-factor biometric authentication to all interior secure areas
• single-factor biometric access control at individual cage access
points
• 24x7x365 on-site security, CCTV surveillance of interior and exterior
strategic locations and access points with a minimum of 10 days
video retention
50
a few good clauses
Who’s Accessing Your Data?
HIPAA – BA If BA is permitted to use a Subcontractor under the Underlying Agreement, BA
and such Subcontractor shall enter into a written business associate agreement
containing the same restrictions and conditions that apply to BA under this BA
Agreement. BA also may disclose PHI to a third party (who is not a
Subcontractor) to the extent required for the proper management and
administration of BA or to carry out BA’s legal responsibilities, provided that
such third party disclosure is either: (a) Required by Law; or (b) occurs only
after BA has obtained reasonable assurance from the third party person or
entity to which BA will disclose PHI stating that such person or entity will (i) hold
the PHI in confidence and use or further disclose the PHI only for the purpose
for which BA disclosed PHI to the person or entity or as such third party is
Required by Law to further disclose, and (ii) promptly notify BA of any instance
of which the person or entity becomes aware in which the confidentiality of PHI
was breached.
51
a few good clauses
What are they doing with your Data?
• Restricting Use
• Allowing Aggregation
• HIPAA – BA Issues
52
a few good clauses
What are they doing with it?
Option 1 - Restrictive Customer Data. As between Supplier and Customer, all data provided to
Supplier by or on behalf of Customer under an Agreement (“Customer Data”),
remains the sole property of Customer. Customer Data shall be considered
Confidential Information, subject to the terms of an Agreement. Supplier
Personnel shall not have the right to copy Customer Data except to the limited
extent necessary to perform under an Agreement. Supplier shall be
responsible for deletion, destruction or alteration of Customer Data while in the
possession or custody or under the control of Supplier Personnel. The
Customer Data shall not be used by Supplier for any purpose other than that of
providing Services, nor shall the Customer Data be disclosed, sold, assigned,
leased, benchmarked, aggregated or otherwise disposed of to third parties by
Supplier or commercially exploited by or on behalf of Supplier and Supplier
Personnel.
53
a few good clauses
What are they doing with it?
Option 2 – Less Restrictive Disclosure of Claims Data. Notwithstanding any other provision of this
Agreement, TPA and TPA’s Affiliates shall have the right to use and disclose
Claims Data collected in the performance of Services under this Agreement, so
long as: (a) the Claims Data is aggregated and de-identified in a manner
consistent with the requirements of HIPAA and in all instances shall not
disclose Claim Data in any manner that would reveal the identity of patients,
Plan Participants, the pharmaceuticals authorized for them or any clinical and
PHI about them sufficient to identify them; and the Claims Data is used or
disclosed for research, health oversight activities, benchmarking, and analysis
of industry and health care trends or other substantially similar purposes
permitted by law and consistent with the disclosure practices described to BSC
upon entering into this Agreement; or (b) a Member has consented to the
release of his or her individually identifiable data. Under no circumstances
shall the Claims Data be sold to any third party or used (whether or not sold) by
any Affiliate of TPA for commercial gain.
54
a few good clauses
What are they doing with it?
HIPAA – BA BA shall not use or disclose PHI except to the Minimum Necessary degree
required to perform for the benefit of CE under the Underlying Contract and
then only to the extent permitted by this BA Agreement or as Required by Law.
BA shall develop, implement, maintain and use appropriate safeguards to
protect the privacy of PHI to comply with HIPAA Rules. This shall include
appropriate administrative, technical and physical safeguards that reasonably
and appropriately protect the confidentiality, integrity and availability of ePHI
that BA creates, receives, maintains or transmits. BA may use PHI internally
for its proper management and administration or to carry out its legal
responsibilities.
55
a few good clauses
When will your data be available?
• Uptime SLA
• Periodic Delivery
• Post-Termination
• HIPPA – BA Issues
56
a few good clauses
When will your data be available?
Uptime SLA – the basics Without limiting Supplier’s obligations to meet the Availability Service Level
(defined below), Supplier shall use commercially reasonable efforts to make
sure that the Software and portions thereof will be “available” to Authorized
Users 24 hours per day, 7 days per week, 365 days per year. Notwithstanding
the foregoing, Supplier shall ensure that the Software is “available” for use by
Authorized Users ninety-nine and nine tenths percent (99.9%) of the time 7
days per week, 365 days per year excluding Scheduled Downtime (the
“Availability Service Level”). For purposes of this Agreement, System
“available” and its variants means a working database server with the Software
and Customer’s database(s) mounted, running, and accessible from all servers
to the public Internet. “Scheduled Downtime” means 6:00 p.m. Saturday
Eastern prevailing time through 5 a.m. Monday Eastern prevailing time.
57
a few good clauses
When will your data be available?
Uptime SLA – tricks of the trade Supplier will be responsible for the hardware, equipment, telecommunications
and networking infrastructure necessary to provide the Software from a point of
demarcation starting with the Appliance permitting ingress to the Data Center
from the WAN Circuit, continuing thereafter to the Data Center’s egress
Appliance back to the Public Circuit. For avoidance of doubt, Supplier is not
responsible for the Public Circuit itself, except that Supplier shall perform an
industry-accepted ping-like monitoring test of the telecommunications line
connected to its ingress/egress Appliance every ten (10) minutes and
immediately take corrective action if such test does not return a signal
indicating proper functioning. As used herein the term “Appliance” means
either a router, or if a dedicated PBX or switching software is leased or owned
by Supplier, such PBX or switching software; and where the term “Public
Circuit” means the third party provided circuits, overland and/or submarine
cabling and other connectivity infrastructure from a point of demarcation
starting at the point immediately after the ingress/egress Appliance at the
Customer site to the point immediately before the ingress/egress Appliance
router at the Data Centers.
58
a few good clauses
When will your data be available?
Periodic Delivery
Data Refreshes; Backup and Data Return. On a continuous basis, Supplier
shall refresh Customer Data transmitted through the Software provided by
Customer’s Authorized Users. Upon Customer’s written request from time to
time (but no more than once per quarter), Supplier shall provide to Customer a
copy of all of Customer Data provided by Customer’s Authorized Users in a
format mutually agreed to by the parties. Unless more frequent back-ups are
provided under Supplier’s separate back-up and DR-BC Plan, back-up services
shall be performed for all Customer Data at least daily with offsite storage of all
media used therefor.
59
a few good clauses
When will your data be available?
Post Termination
The Disengagement Services shall include the performance by Supplier of
such services as shall be necessary to facilitate the orderly transfer of the
Client Data to Client or its designee including delivery of Client Data in native or
other agreed format which shall in all events be readable/useable with
common, commercially available software. Supplier shall have no right to
delete Client Data from its servers until 180 days after termination or expiration
or 10 days following completion of the agreed Disengagement Services,
whichever is later. At that time, Supplier shall certify to such destruction in
writing.
60
a few good clauses
When will your data be available?
HIPAA - BA BA agrees to provide access to PHI in a Designated Record Set, in the time and manner
Required by Law, to CE or, as directed by CE, to a Data Subject, in order to meet the
requirements under 45 C.F.R. 164.524. BA may impose a reasonable cost-based fee for
the provision of copies of PHI in a Designated Record Set in accordance with 45 C.F.R.
164.524(c)(4). In addition, BA will, upon receipt of written notice from the Requesting
Party, promptly amend or permit the Requesting Party access to amend any portion of a
Data Subject’s PHI that is in a Designated Record Set in the custody or control of BA, so
that CE may meet its access obligations under 45 C.F.R. § 164.526. BA shall also, as
necessary to satisfy CE’s obligations under 45 C.F.R. 164.528, maintain and make
available such information as is required to provide an accounting of disclosure to Data
Subjects. If CE requests an accounting of a Data Subject’s PHI more than once in any
twelve (12) month period, BA will impose a reasonable fee for such accounting in
accordance with 45 C.F.R. 164.528(c). As used herein “Data Subject” means the
person to whom the applicable PHI relates; “Requesting Party” means CE or the Data
Subject, as applicable to each request.
61
a few good clauses
What if there’s a disaster?
The Basic Plan Supplier has established, tested and, throughout the Master Term, will maintain and test
at least annually, a comprehensive disaster recovery and business continuity plan
consistent with the principles of ISO 22301 (the “DRBC Plan”), sufficient to respond ,
manage and minimize the adverse effect of any event, whether or not within Supplier’s
control, that is or may reasonably be expected to prevent or materially adversely affect
the availability of the Service or cause damage to Supplier equipment or facilities (“DRBC
Events”). Upon Customer’s request, Supplier will: (a) certify the DRBC Plan is fully
operational and continues to be tested no less than once annually; (b) provide Customer
with a copy of the DRBC Plan and/or any results of the test thereof; (c) promptly
complete and return Customer's annual Business Continuity/IT Security questionnaire;
and/or (d) permit Customer (or its designated third party auditor, subject to confidentiality
restrictions) to observe annual testing of the DRBC Plan. Supplier shall ensure that
reinstatement of the Services under the affected Service Contracts will receive as high or
greater priority as that of reinstatement of services for Supplier’s Affiliates and other
customers.
63
a few good clauses
What if there’s a disaster?
The SLAs – RTO and RPO
The DRBC Plan shall at a minimum, include a recovery
strategy which includes alternative work sites; off-site back-
ups of all data and relevant computer systems; personnel
plans; and physical and remote access to a recovery site
and appropriate procedures to resume the Services within
no more than 72 hours of the occurrence of the DRBC
Event and no greater than 24 hours of data loss.
64
a few good clauses
What if there’s a disaster?
Force Maejure
Supplier shall immediately implement the DR-BC Plan upon the
occurrence of a DRBC Event and, notwithstanding anything to the
contrary herein, will not be relieved from such obligation on account of
an FM Event.
65
a few good clauses
Who’s responsible for security
incidents?
66
• Notice and Response
• Remedies
• Liability
• HIPPA – BA Issues
a few good clauses
Who’s responsible for security
incidents?
67
Notice and Response
Without limitation of Supplier’s general security and confidentiality obligations,
Supplier shall advise Customer within twenty-four (24) hours of learning or forming
any reason to believe that there has been unauthorized access to or use of, or any
security breach relating to or affecting, Regulated and Personal Information, or that
any person who has had access to Regulated and Personal Information has
violated or intends to violate the terms of this Policy (“Security Incident”), and
Supplier shall, at its own expense, cooperate with Customer and its Affiliates in
investigating and responding to the Security Incident. In all cases, Customer shall
be the only party to make determinations regarding the actions to be taken under
Applicable Data Privacy and Data Security Laws and Standards with respect to
Customer Data, including directing Supplier to take action Customer reasonably
believes is required for complying with Applicable Privacy and Data Security Laws
and Standards (e.g., notice).
a few good clauses
Who’s responsible for security
incidents?
68
Remedies
Supplier shall be responsible for associated costs that Customer, its Affiliates
and/or Supplier may incur in connection with responding to or managing a
Security Incident including no less than one (1) year of credit monitoring and
identity theft insurance for affected individuals. The remedies set forth herein
shall be in addition to any other remedies at law and equity available to
Customer or its Affiliates.
a few good clauses
Who’s responsible for security
incidents?
69
Liability
• fully indemnified
• uncapped
• inclusive of consequential damages
• ispo facto
a few good clauses
Who’s responsible for security
incidents?
70
HIPAA – BA – The basics BA shall notify CE, in manner, means and form that are fully compliant with the HIPAA
Rules and in all instances shall: (a) report to CE any use or disclosure of PHI not
permitted by this BA Agreement including any such use or disclosure which BA
determined through the procedures set forth in the HIPAA Rules, did not constitute a
Breach, not more than 48 hours after discovery of such non-permitted use or disclosure;
(b) report to CE any Breach of Unsecured PHI not more than 24 hours after discovery of
such potential Breach; and (c) BA will report to CE any Security Incident of which BBA
becomes aware via a monthly report, except if any such Security Incident resulted in a
disclosure not permitted by this BA Agreement or Breach of Unsecured PHI, BA will
provide notice in accordance with the provisions set forth in (a) or (b) above. As part of
such notice, or as soon thereafter as is reasonably practicable, BA shall provide CE with
the identification of each individual whose Unsecured PHI has been, or is reasonably
believed by BA to have been, accessed, acquired, used or disclosed during the Breach,
together with any other available information that CE is required to include in any notice
to the individual under 45 C.F.R. 164.404(c). For avoidance of doubt, “discovery” under
this Section shall be interpreted in accordance with 45 C.F.R. 164.410. BA shall mitigate,
to the extent practicable, any harmful effect known or made known to the BA resulting
from a use or disclosure in violation of this BA Agreement.
.
a few good clauses
Who’s responsible for security
incidents?
71
HIPAA – BA – Emerging Issue The parties acknowledge and agree that this section constitutes notice by
Business Associate to Covered Entity of the ongoing existence and occurrence
of attempted but Unsuccessful Security Incidents (as defined below) for which
no additional notice to Covered Entity shall be required. “Unsuccessful Security
Incidents” shall include, but not be limited to, pings and other broadcast attacks
on Business Associate’s firewall, port scans, unsuccessful log-on attempts,
denials of service and any combination of the above, so long as no such
incident results in unauthorized access, use or disclosure of PHI..
CONTACT
Rich Green
McCarter & English LLP
860.275.6757
72
Cloud Computing in Healthcare: Liability for a Data Breach &
Cyber-Insurance Considerations
June 11, 2014
73
Patrick X. Fowler Snell & Wilmer L.L.P.
Phoenix, Arizona [email protected]
Financial Exposures From a PHI Data Breach
1. Forensic Examination
2. Notification of Affected Third Parties
3. Crisis Management/Public Relations
4. Call Centers
5. Credit/Identity Monitoring
6. Legal and Regulatory Defense
7. Fines and Penalties from Regulatory Proceedings
8. Comprehensive Written Information Security Program
74
Forensic Examination
• Determines the scope and severity of a data breach;
• An essential step in the process; publicly disclosing details of a data breach before conducting this examination can worsen the situation and result in higher overall costs. – Per the 2014 Ponemon report on data breach costs,
companies that respond with quick notifications incur total costs of $155 per record.
– By comparison, companies that first take the appropriate time to analyze the event incur costs of $145/record.
75
Financial Exposure
Forensic Examination
• Can be performed either by internal staff or an outside third party.
• However, internal investigations can result in suspect results and/or authentication issues;
– Third parties are typically engaged to ensure quality and maintain objectivity.
• The cost of engaging a third party forensics firm is often covered under cyber liability policies.
76
Financial Exposure
Notification of Affected Third Parties
• The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.
• Similar breach notification provisions implemented and enforced
by the Federal Trade Commission, apply to vendors of personal health records and their third party service providers, pursuant to section 13407 of the HITECH Act.
• Forty-seven states, the District of Columbia, Puerto Rico and the Virgin Islands also have enacted data breach notification laws.
77
Financial Exposure
• Notification costs vary depending on the number of records or individuals affected.
• Because of the highly regulated environment, notification costs in PHI breach cases often run higher than in non-PHI breach cases.
• The direct costs associated with determining applicability of state notification laws (i.e., legal fees) and the costs for the actual notification of affected third parties is often covered under cyber liability policies.
78
Financial Exposure
Notification of Affected Third Parties
Crisis Management/Public Relations
• A PR firm that specializes in damage control can help mitigate harm to breached company’s reputation.
• The direct cost of hiring a PR firm is covered under some cyber liability policies, but…
• The indirect adverse impact on the breached company is largely uninsurable. – i.e., the potential long-term loss of confidence among
customers and business partners, which in turn can impact sales and revenue.
79
Financial Exposure
Call Centers
• Companies often include a phone number in the notification letters for affected individuals wanting more information about the extent of the breach, the company’s response, or next steps.
• Can hire vendors that specialize in comprehensive breach response to provide call center services.
• Costs are usually calculated by call volume and length of time the center will be dedicated to fielding questions and providing information.
• Covered by some cyber liability policies. 80
Financial Exposure
Credit and/or Identity Monitoring
• Often provided to affected persons.
• Credit monitoring services focus on financial items like credit history and new account creation and activity.
• Identity monitoring tracks activities relative to medical, employment, and other types of fraud.
• Identity restoration can be sought if identity theft occurs.
• Many cyber liability policies do not commonly cover these services
– Can become very expensive in large data breach events
81
Financial Exposure
Legal and Regulatory Defense
• Claims from a data breach can come from many parties, but most frequently from consumers and banks.
• Per the NetDiligence Cyber Liability and Data Breach Insurance Claims Study, legal damages are the largest component of costs paid by insurance carriers who participated in the survey.
– The average cost for legal defense was $500,000, while the
average legal settlement was $1 million.
– Consumer claims are typically filed as class action lawsuits, but tend to have limited success given the difficulty in proving injury in the absence of actual or imminent identity theft.
82
Financial Exposure
Regulatory Proceedings, Fines and Penalties
• Increased scrutiny regarding healthcare organizations due to their handling of Protected Health Information (PHI).
• Depending on the nature of the data breach, a company may have to defend itself against investigations launched by multiple federal or state authorities, such as the FTC, HHS, FTC, SEC, DOJ and/or state attorneys general.
• A breached company may also be subject to significant fines and penalties if found to be non-compliant with privacy and data security requirements applicable to PHI.
83
Financial Exposure
Regulatory Proceedings, Fines and Penalties
• The Privacy Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPPA) outlines basic requirements regarding the secure handling of PHI.
• As part of the American Recovery and Reinvestment Act of 2009, the Health Information Technology for Economic and Clinical Health Act (HITECH) established a tiered civil penalty structure for HIPAA violations.
• Fines can range from $100 per violation to a maximum of $1.5M.
– The Dept of Health and Human Services (HHS) has fined several entities as a result of violations of the Privacy Rule.
84
Financial Exposure
Regulatory Proceedings, Fines and Penalties
• HHS is also scrutinizing public health entities subject to HIPAA for compliance with the Security Rule.
– March 2014: HHS and Skagit County, Washington agreed to a $215,000 monetary settlement after the Skagit County Health Department suffered a data breach involving the compromise of seven individuals’ PHI. Skagit County had inadvertently moved the electronic PHI of 1,581 individuals, contained in money receipts, to a publicly accessible server.
– HHS concluded that in addition to the breach, Skagit County failed to implement sufficient policies and procedures to prevent, detect, contain, and correct security violations as per the Security Rule.
– HHS also concluded there was an inadequate notification as required by the breach notification rule.
85
Financial Exposure
Regulatory Proceedings, Fines and Penalties
• January 2014: California A.G.’s office sued the Kaiser Foundation Health Plan concerning Kaiser’s alleged failure to promptly notify individuals about a security breach, as required by state law.
• A hard drive containing unencrypted information on 30,000 Kaiser Plan employees was purchased at a thrift store. Kaiser waited six months after learning about the breach before it provided notification to affected individuals.
• For settlement, Kaiser Plan agreed to:
– Be more prompt with notification of future breaches;
– Take steps to improve its data security practices; and
– Pay a $30,000 penalty and $120,000 to the A.G.’s office for legal fees and costs.
86
Financial Exposure
Regulatory Proceedings, Fines and Penalties • January 2014: FTC settlement with GMR Transcription
Service following the exposure of thousands of medical transcript files with PHI and PII.
• GMR allegedly failed to verify that its overseas service provider implemented appropriate security measures when transcribing audio files with PII and PHI.
• It had assured its customers that their information was highly protected and secured. But it failed to confirm that its service provider actually met those standards.
• PII and PHI was stored and transmitted without reasonable security measures, resulting in public access
87
Financial Exposure
Regulatory Proceedings, Fines and Penalties
• The FTC settlement with GMR included:
– GMR’s commitment to establish, implement and maintain a fully documented and comprehensive information security program;
– GMR’s agreement to initial and biennial security assessments for the next 20 years; and
– A promise to make no further misrepresentations concerning information security measures.
• This signals that the FTC will hold companies (including health care companies) to a high bar regarding third-party vendor management and oversight.
88
Financial Exposure
Comprehensive Written Information Security Program
• A trend in regulatory settlements is to require that the breached company implement a Comprehensive Written Information Security Program.
• This program is in addition to a fine or penalty and is subject to periodic audits by the enforcing body.
• Audits can continue over the course of several years (if not decades).
• The costs include the human resources to implement the program, and/or retaining an outside firm to assist or take the place of internal resources.
89
Financial Exposure
The Ponemon Institute issued its ninth annual “Cost of Data Breach Study: Global Analysis”. Based on a two-year survey of 314 companies across 10 countries. Each company experienced a data breach, involving between 2,500 to 100,000+ records. No mega-breaches (i.e. Target) in the study.
90
Data Breach Costs: 2014 Ponemon Study
• The average cost of a data breach in the U.S. is $195/record. But for healthcare: $359/record.
• The average data breach in the U.S. involved about 30,000 records,
• So the average overall cost of a data breach for U.S. companies in this survey was $5.85 million. But for health care: $10.77 million
91
The U.S. average total breach cost of $5.85 M includes: • $417K for detection and escalation costs
– forensic and investigative activities, assessment and audit services, crisis team management and communication to executive management and board of directors;
• $509K for notification costs – IT activities associated with creation of contact databases, determination of all
regulatory requirements, engagement of outside experts, postal expenditures, second contacts to mail or email bounce-backs and inbound communication set up)
• $1.6M for post-breach costs – help desk activities, inbound communications, special investigation activities,
remediation, legal expenditures, product discounts, identity protection services and regulatory intervention;
• $3.3M for lost business costs – abnormal turnover of customers, increased customer acquisition activities,
reputational losses and diminished goodwill.
92
Cybersecurity Insurance Considerations • Cybersecurity insurance may help to mitigate first and
third party losses from a variety of cyber incidents.
• The U.S. Department of Commerce has described it as an “effective, market-driven way of increasing cybersecurity” because it may help reduce the number of successful cyber attacks by:
– Promoting the adoption of preventative measures;
– Encouraging the implementation of best practices by basing premiums on an insured’s level of self-protection; and
– Limiting the losses that companies face following an attack.
94
Cybersecurity Insurance Considerations • Anyone that collects, stores or transmits personal
information has a cyber security exposure.
• How do you want to allocate your resources?
– Improving computer and data security procedures (risk mitigation), or
– Purchasing cyber security insurance (risk transfer), or
– Both?
95
Cybersecurity Insurance Considerations • The Securities and Exchange Commission’s 2011
cyber security “Guidance” advised companies to disclose to investors a “description of relevant insurance coverage.”
• The federal government is encouraging businesses to obtain cyber security insurance. – Dept. of Homeland Security held conferences in 2012
– 13 to encourage a more robust cyber security insurance market that offers more relevant policies at lower costs.
96
Cybersecurity Insurance Considerations • More companies are buying cyber security
policies:
– Per a 2013 Ponemon survey of nearly 19,000 security and risk management professionals:
• 31% say their company has a cyber security insurance policy, and
• 39% say they are planning to purchase one.
97
Cybersecurity Insurance Considerations • Cyber security insurance is no longer just a niche
product offered by a few carriers;
• More carriers are writing policies in this area: – E.g., AIG, Liberty Mutual, Chubb Group, ACE, Beazley,
Marsh & McLennon
• Coverages include third-party liabilities and first- party expenses. Specific coverages vary widely. – Not all policies are the same;
– Critical to review the policy language and compare coverages between different carriers.
98
Cybersecurity Insurance Considerations Third Party liability coverage may include: • Litigation and regulatory response: For the costs
associated with civil lawsuits, governmental inquiries, judgments, settlements, fines and/or penalties resulting from a cyber event.
• Notification costs: To notify customers, employees or others affected by a cyber event, including notice required by law.
• Crisis management and public relations expenses: To educate customers concerning a cyber event and the company’s response, including the cost of advertising for this purpose, and call centers.
99
Cybersecurity Insurance Considerations Third Party liability coverage may include:
• Credit monitoring: Costs of credit monitoring, fraud monitoring or other related services to parties affected by a cyber event.
• Media liability: Including coverage for copyright, trademark or service mark infringement resulting from online publication by the insured.
• Privacy liability: To employees or customers for a breach of privacy resulting from a cyber event.
100
Cybersecurity Insurance Considerations First-party coverage may include:
• Forensic investigation: Legal, technical, or forensic costs to determine if an attack/breach occurred, to assess the scope and severity, and to stop it.
• Theft and fraud: The destruction or loss of the breached company’s data as the result of a malicious cyber event, including theft and transfer of funds.
• Business interruption: Lost income and related costs where a breached company is unable to conduct business due to a cyber event or data loss.
101
Cybersecurity Insurance Considerations First-party coverage may include:
• Computer data loss and restoration: Physical damage to, or loss of use of, computer assets, including the costs of retrieving and restoring data, hardware, software or other information destroyed or damaged as the result of a breach/cyber attack.
• Extortion: Costs associated with the investigation of threats to commit cyber attacks against the policyholder's systems and for payments to extortionists who threaten to obtain and disclose sensitive information.
102
Cybersecurity Insurance Considerations • Cost? Ball park per million in liability coverage:
– $2K - $15K for small and mid-size companies, and
– $17K - $50K-plus for larger companies.
• Post-Target, expect an increase in underwriting risk assessment processes by carriers, including in some cases an investigation of: – network security, privacy policies, password
protection, intrusion detection, vulnerability scanning and incident response plans.
103
Cybersecurity Insurance Considerations • Post-Target, more companies now require their
vendors to have cyber liability coverage and minimum limits, to ensure that:
– There is coverage in the event of a breach, and
– the vendors have gone through the due diligence/ underwriting process necessary to obtain the coverage
104
Cybersecurity Insurance Considerations • Policy language is still evolving:
– Not much interpretative case law, yet;
– Coverage can vary greatly between different policies;
– Exclusions may be extremely broad;
– Don’t assume coverage – read the fine print.
• Beware: cyber security coverage has been eliminated from standard commercial general liability (CGL) policies in the last couple years.
– Cyber security is often an added endorsement today.
105
• In 2013 and 2014, the ISO standard-form primary, excess and umbrella CGL policies were revised to eliminate coverage for claims involving violation of privacy rights and data breaches. The stated rationale:
– when the standard-form CGL policy was developed, hacking activities and data breaches were not prevalent and, therefore, coverages related to the unauthorized access to or disclosure of PII and PHI were not contemplated under the policy.
• The take-away? Read the policy language closely and ask questions of the broker or agent to clearly understand what is and is not covered!
106
Questions?
Patrick X. Fowler Snell & Wilmer L.L.P. One Arizona Center Phoenix, AZ 85004
602.382.6213 [email protected]
107